WSL2-Linux-Kernel/Documentation
Kees Cook 30f20ceb87 overflow: Implement size_t saturating arithmetic helpers
[ Upstream commit e1be43d9b5 ]

In order to perform more open-coded replacements of common allocation
size arithmetic, the kernel needs saturating (SIZE_MAX) helpers for
multiplication, addition, and subtraction. For example, it is common in
allocators, especially on realloc, to add to an existing size:

    p = krealloc(map->patch,
                 sizeof(struct reg_sequence) * (map->patch_regs + num_regs),
                 GFP_KERNEL);

There is no existing saturating replacement for this calculation, and
just leaving the addition open coded inside array_size() could
potentially overflow as well. For example, an overflow in an expression
for a size_t argument might wrap to zero:

    array_size(anything, something_at_size_max + 1) == 0

Introduce size_mul(), size_add(), and size_sub() helpers that
implicitly promote arguments to size_t and saturated calculations for
use in allocations. With these helpers it is also possible to redefine
array_size(), array3_size(), flex_array_size(), and struct_size() in
terms of the new helpers.

As with the check_*_overflow() helpers, the new helpers use __must_check,
though what is really desired is a way to make sure that assignment is
only to a size_t lvalue. Without this, it's still possible to introduce
overflow/underflow via type conversion (i.e. from size_t to int).
Enforcing this will currently need to be left to static analysis or
future use of -Wconversion.

Additionally update the overflow unit tests to force runtime evaluation
for the pathological cases.

Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: Keith Busch <kbusch@kernel.org>
Cc: Len Baker <len.baker@gmx.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Stable-dep-of: e001e60869 ("fs/ntfs3: Harden against integer overflows")
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-12-31 13:14:33 +01:00
..
ABI mtd: spi-nor: hide jedec_id sysfs attribute if not present 2022-12-31 13:14:11 +01:00
PCI pci-v5.15-changes 2021-09-07 19:13:42 -07:00
RCU
accounting sched/psi: report zeroes for CPU full at the system level 2022-06-09 10:22:48 +02:00
admin-guide x86/bugs: Add "unknown" reporting for MMIO Stale Data 2022-08-31 17:16:47 +02:00
arm
arm64 arm64: errata: Remove AES hwcap for COMPAT tasks 2022-10-29 10:12:53 +02:00
block
bpf
cdrom
core-api Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE"" 2022-04-08 14:24:13 +02:00
cpu-freq
crypto
dev-tools kfence: default to dynamic branch instead of static keys mode 2021-11-12 15:05:49 +01:00
devicetree dt-bindings: visconti-pcie: Fix interrupts array max constraints 2022-12-31 13:14:24 +01:00
doc-guide
driver-api spi: Update reference to struct spi_controller 2022-12-31 13:14:08 +01:00
fault-injection debugfs: fix error when writing negative value to atomic_t debugfs file 2022-12-31 13:14:03 +01:00
fb
features RISC-V Patches for the 5.15 Merge Window, Part 2 2021-09-11 14:29:42 -07:00
filesystems fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE 2022-10-26 12:34:27 +02:00
firmware-guide Documentation: ACPI: EINJ: Fix obsolete example 2022-08-25 11:40:01 +02:00
firmware_class
fpga
gpu drm/i915/display: Move DRRS code its own file 2022-03-08 19:12:40 +01:00
hid
hwmon hwmon: (lm90) Add basic support for TI TMP461 2021-12-29 12:28:48 +01:00
i2c
ia64
ide
iio
infiniband
input Input: iforce - add support for Boeder Force Feedback Wheel 2022-09-20 12:39:45 +02:00
isdn
kbuild Merge branch 'akpm' (patches from Andrew) 2021-09-08 12:55:35 -07:00
kernel-hacking
leds
litmus-tests
livepatch
locking Documentation/locking/locktypes: Update migrate_disable() bits. 2021-12-14 10:57:18 +01:00
m68k
maintainer
mhi
mips
misc-devices
netlabel
networking Documentation: fix sctp_wmem in ip-sysctl.rst 2022-08-03 12:03:49 +02:00
nios2
nvdimm
openrisc
parisc
pcmcia
power
powerpc
process overflow: Implement size_t saturating arithmetic helpers 2022-12-31 13:14:33 +01:00
riscv
s390
scheduler
scsi
security
sh
sound ALSA: usb-audio: Add quirk bits for enabling/disabling generic implicit fb 2022-06-09 10:22:41 +02:00
sparc
sphinx docs: sphinx/requirements: Limit jinja2<3.1 2022-04-08 14:22:49 +02:00
sphinx-static
spi
staging
target
timers
trace tracing/histogram: Update document for KEYS_MAX size 2022-11-10 18:15:38 +01:00
translations Merge branch 'gcc-min-version-5.1' (make gcc-5.1 the minimum version) 2021-09-13 10:43:04 -07:00
tty/device_drivers serial: 8250: Add proper clock handling for OxSemi PCIe devices 2022-08-17 14:24:23 +02:00
usb
userspace-api media: hevc: Embedded indexes in RPS 2022-08-17 14:23:31 +02:00
virt KVM: s390: pv: don't allow userspace to set the clock under PV 2022-11-16 09:58:17 +01:00
vm Merge branch 'akpm' (patches from Andrew) 2021-09-08 12:55:35 -07:00
w1
watchdog
x86 Another collection of documentation patches, mostly fixes but also includes 2021-09-08 16:28:14 -07:00
xtensa
.gitignore
COPYING-logo
Changes
CodingStyle
Kconfig
Makefile
SubmittingPatches
arch.rst
asm-annotations.rst
atomic_bitops.txt locking/atomic: Make test_and_*_bit() ordered on failure 2022-08-25 11:39:54 +02:00
atomic_t.txt
conf.py docs/conf.py: Cope with removal of language=None in Sphinx 5.0.0 2022-06-09 10:23:30 +02:00
docutils.conf
dontdiff
index.rst
logo.gif
memory-barriers.txt
watch_queue.rst